Cross-Site Request Forgery (XSRF) are a class of serious vulnerabilities that exist in nearly every web application ever deployed. The basic problem is that it is possible for an attacker to host a page with a carefully crafted form that directs a target web application to do anything it could otherwise do, and then trick an authorized user of the web application into submitting the form. For example, the form could submit a request to a bank to transfer money from the victim's account to the attacker's account.
When executed properly, an attack is virtually undetectable—the victim does not see any evidence of it in their browser window, and in the logs of the vulnerable web application, it looks entirely like a completely intentional transaction. Victims will not even be able to prove that they are victims. By destroying the trust required for commerce to function, it is possible that this problem will completely undermine web commerce.
This problem exists because of a security context mismatch web applications assume that a token that proves identity can also be used to prove intent. This vulnerability is implicit in the way browsers operate, and it is made worse by scripting languages embedded in the browser.
While a client side fix could be instituted, this is not scalable—it would require that every vulnerable browser (which is to say, every browser currently installed) be replaced.
A server side fix is a better option. However, this would still require substantial modification to vulnerable web applications. This technique provides a framework for these modifications, with an eye to making them less obtrusive and easier to integrate.